Here is the report and the complete diagram. And sorry for email problem and incomplete email ! I have made new test. Eth0 and eth2 are bridged. I can ping NET from LAN I can ping every firewall''s interface from LAN I can ping eth1 from private LAN I can ping everything from firewall Bridging is activated in shorewall.conf>From LAN i can ping 192.168.11.253 but not 192.168.11.254 >From Private lan (machine test) i can ping and ssh 192.168.11.253 but i wantto ping and ssh machines on LAN For example i have try to add the rules : DNAT cms loc:192.168.1.53 tcp 23 And telnet 192.168.11.253 from private LAN, but packet aren''t redirected. I just want the Private LAN et LAN connected without losing the internet connexion. I can try every idea submited. I have spend hours to solve this without success and i try hard ! Thanks #Shorewall version 2.0.8 # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 5: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:2f:09:ff:a1 brd ff:ff:ff:ff:ff:ff inet6 fe80::211:2fff:fe09:ffa1/64 scope link valid_lft forever preferred_lft forever 6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:f4:96:96:65 brd ff:ff:ff:ff:ff:ff inet 192.168.11.253/24 brd 192.168.11.255 scope global eth1 inet6 fe80::240:f4ff:fe96:9665/64 scope link valid_lft forever preferred_lft forever 7: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:f4:96:98:17 brd ff:ff:ff:ff:ff:ff inet6 fe80::240:f4ff:fe96:9817/64 scope link valid_lft forever preferred_lft forever 8: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 9: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 00:11:2f:09:ff:a1 brd ff:ff:ff:ff:ff:ff inet 192.168.1.199/24 brd 192.168.1.255 scope global br0 inet6 fe80::211:2fff:fe09:ffa1/64 scope link valid_lft forever preferred_lft forever #ip route show 172.16.0.0/24 dev br0 scope link 192.168.1.0/24 dev br0 scope link 192.168.33.0/24 via 192.168.11.254 dev eth1 192.168.11.0/24 dev eth1 scope link 190.0.0.0/16 dev br0 scope link default via 192.168.1.254 dev br0 Net Test machine : 192.168.33.152 | Private network : 192.168.33.0/24 - | (Gateway : 192.168.33.254) | | | Private ISP router : 192.168.33.254 | | Router ISP:192.168.1.254 Private ISP router : 192.168.11.254 ------------------------ -------------------------------- | | ------------------------------------------------------------- | Eth2 : noip (net) Eth1 : 192.168.11.253 | | | (cms) | | br0 : 192.168.1.199 | | | | | Eth0 : noip (loc) | ------------------------------------------------------------- | ------------------------------------------ LAN 192.168.1.0/24 - Gateway : 192.168.1.254 LAN 172.16.0.0/24 LAN 190.0.0.0/16 Firewall Shorewall 2.0.8 Fedora Core 2 Shorewall zone : #ZONE HOST(S) OPTIONS net br0:eth2 loc br0:eth0 routeback Shorewall interfaces : #ZONE INTERFACE BROADCAST OPTIONS # - br0 detect cms eth1 detect routeback Shorewall policy : #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT net all DROP info loc fw ACCEPT fw net ACCEPT fw loc ACCEPT cms loc ACCEPT loc cms ACCEPT fw cms ACCEPT cms fw ACCEPT cms net ACCEPT Shorewal zones: #ZONE DISPLAY COMMENTS Cms Cms Global intranet net Net Internet loc Local Local networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frédéric Raynaud wrote:> #ip route show > > 172.16.0.0/24 dev br0 scope link > 192.168.1.0/24 dev br0 scope link > 192.168.33.0/24 via 192.168.11.254 dev eth1 > 192.168.11.0/24 dev eth1 scope link > 190.0.0.0/16 dev br0 scope link > default via 192.168.1.254 dev br0 > > > > > Net Test machine : 192.168.33.152 > | Private network : 192.168.33.0/24 - > | (Gateway : 192.168.33.254) > | | > | Private ISP router : 192.168.33.254 > | | > Router ISP:192.168.1.254 Private ISP router : 192.168.11.254 > ------------------------ -------------------------------- > | | > ------------------------------------------------------------- > | Eth2 : noip (net) Eth1 : 192.168.11.253 | > | | (cms) | > | br0 : 192.168.1.199 | > | | | > | Eth0 : noip (loc) | > ------------------------------------------------------------- > | > ------------------------------------------ > LAN 192.168.1.0/24 - Gateway : 192.168.1.254If the gateway is 192.168.1.254, then traffic from the LAN to 192.168.33.0/24 will be sent *to the ISPs router* and will not be examined by your firewall. In order to make this work, the LAN''s default gateway would have to be 192.168.1.199 (which somewhat defeats the advantage of the bridge). The Bridge/Firewall example in the Shorewall Bridge documentation (http://shorewall.net/bridge.html) suffers from the same problem -- I''ll correct it ASAP. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYXmeO/MAbZfjDLIRAqSQAJ4uL9IuYM4qRwPVQoLEPMoTj8KQhQCdHNvz BCCuj64bzGkmdNq65i3iCDc=ziaM -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> > > If the gateway is 192.168.1.254, then traffic from the LAN to > 192.168.33.0/24 will be sent *to the ISPs router* and will not be > examined by your firewall. > > In order to make this work, the LAN''s default gateway would have to be > 192.168.1.199 (which somewhat defeats the advantage of the bridge). >Alternatively, you might be able to configure a route to 192.168.33.0/24 via 192.168.1.199 *on the ISP''s router*. That router can then redirect only the traffic for that network to 192.168.1.199. Hopefully, the ISP''s router would send ICMP redirects in that case -- otherwise, your firewalling becomes complicated because traffic from the local network to the private LAN goes through the firewall twice.> The Bridge/Firewall example in the Shorewall Bridge documentation > (http://shorewall.net/bridge.html) suffers from the same problem -- I''ll > correct it ASAP.In that case, since there were only two systems in the DMZ, the proper solution was to simply add the appropriate route to the locan network on each DMZ system. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYXxcO/MAbZfjDLIRAtlIAKCCCv7n2uqhlvYvBnp6wc+VZUFeFQCfdlsO FKVYaj76+NJ7mYlL6mWZS08=WFnQ -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-04 18:43 UTC
Re: RE : RE : RE : Bridge and routing question - complete email.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frédéric Raynaud wrote:> Because from private LAN, i can''t access directly the LAN > I have another LAN with the same subnet elsewhere. > From private LAN i must ssh 192.168.11.253 then shorewall redirect traffic > to 192.168.1.53 > On private LAN i have a route for 192.168.11.0/24, not for 192.168.1.0/24 > > The ''ideal'' configuration would be : LAN 192.168.11.0/24, but i can''tchange> this for the moment. > So i must find something to translate 192.168.11.0/24 to 192.168.1.0/24 > without losing internet connection. > > It sound strange to you ? >So you are saying that the systems in the private LAN can''t route to the 192.168.1.0/24 netowrk -- If that is the case then why you are complaining about not being able to ping the 192.168.11.0/24 network from the 192.168.1.0/24 network? I must be missing something... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYZnlO/MAbZfjDLIRAsSnAJoCsrKe26mShzg1bAKMxrbX7wmjnQCePXnI HfDe0ii+QzVABsBcn7HJ9bk=P8gI -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-04 19:31 UTC
Re: RE : RE : RE : Bridge and routing question - complete email.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Frédéric Raynaud wrote: > >>>Because from private LAN, i can''t access directly the LAN >>>I have another LAN with the same subnet elsewhere. >>>From private LAN i must ssh 192.168.11.253 then shorewall redirecttraffic>>>to 192.168.1.53 >>>On private LAN i have a route for 192.168.11.0/24, not for 192.168.1.0/24 >>> >>>The ''ideal'' configuration would be : LAN 192.168.11.0/24, but i can''t > > change > >>>this for the moment. >>>So i must find something to translate 192.168.11.0/24 to 192.168.1.0/24 >>>without losing internet connection. >>> >>>It sound strange to you ? >>> > > > So you are saying that the systems in the private LAN can''t route to the > 192.168.1.0/24 netowrk -- If that is the case then why you are > complaining about not being able to ping the 192.168.11.0/24 network > from the 192.168.1.0/24 network? I must be missing something...My point is that if you need to DNAT when going from the private LAN to the LAN then I would think that you would have to SNAT in the other direction. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYaUWO/MAbZfjDLIRAng0AJ0WY4ZjrxY928iEdpptwJ018MMLJwCgo5u2 jVV9GaO/asMHNn2uPW+rZ44=QCyW -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-04 23:10 UTC
Re: RE : RE : RE : Bridge and routing question - complete email.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frédéric Raynaud wrote:> > > >>-----Message d''origine----- >>De : Tom Eastep [mailto:teastep@shorewall.net] >>Envoyé : lundi 4 octobre 2004 21:32 >>À : Mailing List for Shorewall Users >>Cc : f.raynaud@medi-partenaires.fr >>Objet : Re: RE : RE : RE : [Shorewall-users] Bridge and >>routing question - complete email. >> > Tom Eastep wrote: > >>Frédéric Raynaud wrote: > > >>>>Because from private LAN, i can''t access directly the LAN I have >>>>another LAN with the same subnet elsewhere. > >>>>From private LAN i must ssh 192.168.11.253 then shorewall redirect > > traffic > >>>>to 192.168.1.53 >>>>On private LAN i have a route for 192.168.11.0/24, not for >>>>192.168.1.0/24 >>>> >>>>The ''ideal'' configuration would be : LAN 192.168.11.0/24, > > but i can''t > >>change > > >>>>this for the moment. >>>>So i must find something to translate 192.168.11.0/24 to >>>>192.168.1.0/24 without losing internet connection. >>>> >>>>It sound strange to you ? >>>> > > >>So you are saying that the systems in the private LAN can''t > > route to > >>the >>192.168.1.0/24 netowrk -- If that is the case then why you are >>complaining about not being able to ping the > > 192.168.11.0/24 network > >>from the 192.168.1.0/24 network? I must be missing something... > > >> I''m not ''complaining'' about nothing...Then all of your problems are solved?>> I first think that the DNAT rules have a special behaviour with oneof the>> interface including in a bridge.Not that I have ever seen.> >> Forget my private LAN, and call it ''virtualNET'', from virtualNET i ssh to >> 192.168.1.53 (reacheable) >> And i want shorewall forward the ssh to 192.168.1.53 (againreacheable by my>> router)There is something wrong there -- you connect to 192.168.1.53 and you want Shorewall to forward it to 192.168.1.53 (the same system)?>> But... I also have a bridge... >> I don''t make it ! >> The private LAN (192.168.33.0) can route to cms zone (192.168.11.0)and can>> reach the 192.168.33.253 (eth1) >> The LAN (192.168.1.0) ''should'' route to cms zone (192.168.11.0) butcan on>> acces to 192.168.33.253 (eth1) >> My goal is to forward traffic through eth1 >> For example from 192.168.33.152 : ssh 192.168.11.253 (i can tcpdump this >> packet on eth1) >> And shorewall forward the ssh connection to 192.168.1.53 (becauseshorewall>> can reach 192.168.1.53 via eth0 or br0) >> But i doesn''t work with this rules : >> DNAT cms loc:192.168.1.53:22 tcp 22 > >> And from 192.168.1.53, i can''t ping 192.168.11.254 (but i can ping >> 192.168.11.253) >So What I think you are trying to do is connect from virtualNET to 192.168.11.253 and you want Shorewall to forward the connection to 192.168.1.53. You have this rule: DNAT cms loc:192.168.1.53:22 tcp 22 where ''cms'' is associated with eth1 in /etc/shorewall/interfaces. And what I believe is happening is that Shorewall is forwarding the request to 192.168.1.53 who tries to send a reply. But 192.168.1.53 has no route to the client host in VirtualNET so it sends the reply to 192.168.1.254. That system then sends the reply off to the internet where some router along the way (either at your ISP or on the backbone) throws it away. If you follow the port forwarding troubleshooting advice in FAQs 1a and 1b, you can probably confirm this analysis. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYdhiO/MAbZfjDLIRAgJ8AJ0QZicA4G3r5Xxc/lGOX3bHnRbr6wCgwfEa 4j5PeR/P1MvY8WDipjsDuXs=AJMQ -----END PGP SIGNATURE-----